New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace Math.random() with crypto function #3807
Comments
is there a new version for this change? |
No, I’m declining your request as it is nonsensical. |
We are using d3 package in some of our projects and when we ran fortify scans it has been flagged as high vulnerability. It is asking to replace Math.random() to crypto function. There are other packages which have this same issue. I am trying to contact them as well. Thank you. |
My friend,
the random numbers generated within D3 do not have a security implication.
What you should be doing is informing your "foritfy" widget that d3 is not
part of your security / privacy landscape, not asking a graphics / data
analytics tooling to present cryptographic random numbers.
Christopher Reay (they / them)
Be prepared to have your predictions come true
…On Thu, 14 Dec 2023 at 17:00, swetha8612 ***@***.***> wrote:
We are using d3 package in some of our projects and when we ran fortify
scans it has been flagged as high vulnerability. It is asking to replace
Math.random() to crypto function. There are other packages which have this
same issue. I am trying to contact them as well. Thank you.
—
Reply to this email directly, view it on GitHub
<#3807 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGIAA37JYB46QSEMDMAGSNDYJMWCHAVCNFSM6AAAAABAVACO3KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJWGIYDMNZVGU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
There is a Math.random() in dist/d3.js file.
Please update it with crypto function like window.crypto.getRandomValues(new Uint32Array(10))[0]
The fortify scan is raising it as a security vulnerability during the scan.
The text was updated successfully, but these errors were encountered: